Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker drive encryption. You can also report on the encryption status of an individual computer and on the entire enterprise. As part of the prerequisites, you must define certain roles and accounts that are used in MBAM to provide security and access rights to specific servers and features, such as the databases that are running on the instance of SQL Server and the web applications that are running on the Administration and Monitoring Server. Kindly refer to the following guide: How to fix you are not allowed to view this folder on SSRS, how to correctly disable Microsoft BitLocker Administration and Monitoring encrypted devices, how to hide the Default BitLocker Drive Encryption item in the Windows Control Panel, and how to check if Microsoft BitLocker Administration and Monitoring (MBAM) is installed on Windows.
Note: After the installation of Microsoft BitLocker Administration and Monitoring (MBAM) is complete for all server features, administrative users must be granted access to these server features. As a best practice, administrators who will manage or use MBAM server features should be assigned to Active Directory security groups and then those groups should be added to the appropriate MBAM administrative local group.Users and Groups created in Active Directory to support MBAM installation
The following groups and users were created in Active Directory. Users do not have to have greater user rights. A domain user account is sufficient. You’ll have to specify the name of these groups during configuration of MBAM 2.5. Below are the created service accounts and security groups. Service Accounts (users) do not need to have greater user rights.
After Microsoft BitLocker Administration and Monitoring (MBAM) Setup is complete for all server features, administrative users will have to be granted access to them. As a best practice, administrators who will manage or use Microsoft BitLocker Administration and Monitoring Server features should be assigned to Domain Services security groups, and then those groups should be added to the appropriate MBAM administrative local group. This is way better than adding users directly to the SSRS Users/Groups in order to administer the MBAM reports as shown in the image below.
You are free to use any name of your choice. As you can see from the image above, and also in the table below, I have used descriptive names I will be able to identify in my Lab environment. You are free to use the name you like or as documented in the Microsoft guide.
| Name | SA/ SG | Description |
| MBAM-RO-SVC | User Account | Read-only service account: Domain user group whose members have read-only access to the reports in the Reports area of the Administration and Monitoring Website |
| MBAM-RW-SVC | User Account | Read/write service account |
| MBAM-IISAP-SVC | User Account | IIS application pool service account: Domain user account to be used by the application pool for the web applications. The same account also used to Configure Databases page. |
| MBAM Helpdesk Users | Security Group | Members of this group are granted read-only access to the helpdesk portal |
| MBAM Advanced Helpdesk Users | Security Group | Members of this group are provided with helpdesk access without the need to specify user and computer details for recovery |
| MBAM Report Users | Security Group | Members of this group have access to the MBAM SSRS reports |
| MBAM Database Read-Only | Security Group | Security Group for adding Read-Only DB members |
| MBAM Database Read-Write | Security Group | Security Group for adding Read-Write DB members |
As you can see in the image below, these are how these accounts and groups were added to thr MBAM (SQL) Server to support MBAM deployment. In the post-installation of SQL Server, make sure that you provide the user accounts in SQL Server, and assign the permissions to the user or (groups) that will be configuring the MBAM database and reporting roles on the database server. These same prerequisites also apply to the compliance and audit database.
To manage MBAM Administrator Role memberships
These roles are vital for the installation of MBAM features and the post-installation of MBAM features as well. Kindly refer to this link on how these roles were used in the installation of the MBAM MBAM/features. On the Administration and Monitoring Server, add users to the following local groups to give them access to the MBAM Help Desk website features:
- MBAM Helpdesk Users: Members of this local group can access the Drive Recovery and Manage TPM features on the MBAM Administration and Monitoring website. All fields in Drive Recovery and Manage TPM are required fields for a Helpdesk User.
- MBAM Advanced Helpdesk Users: Members of this local group have advanced access to the Drive Recovery and Manage TPM features on the MBAM Administration and Monitoring website. For Advanced Helpdesk Users, only the Key ID field is required in Drive Recovery. In Manage TPM, only the Computer Domain field and Computer Name field are required.
On the Administration and Monitoring Server, add users to the following local group to enable them to access the Reports feature on the MBAM Administration and Monitoring website:
- MBAM Report Users: Members of this local group can access the Reports features on the MBAM Administration and Monitoring website. The image below shows how this group is utilized in the installation of the MBAM reports.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.